Assessing the security of VoIP Services

Size: px
Start display at page:

Download "Assessing the security of VoIP Services"

Transcription

1 Assessing the security of VoIP Services Humberto Abdelnur, Radu State, Isabelle Chrisment, Christian Popi To cite this version: Humberto Abdelnur, Radu State, Isabelle Chrisment, Christian Popi. Assessing the security of VoIP Services. The Tenth IFIP/IEEE International Symposium on Integrated Network Management (IM 2007), May 2007, Munich, Germany, ( ), pp , 2007, 10th IFIP/IEEE International Symposium on Integrated Network Management. <inria v1> HAL Id: inria https://hal.inria.fr/inria v1 Submitted on 22 May 2007 (v1), last revised 12 Jan 2007 (v2) HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

2 Assessing the security of VoIP Services H. Abdelnur, R. State, I. Chrisment, C. Popi LORIA - INRIA Lorraine 615, rue du jardin botanique Villers-les-Nancy, France {abdelnur state chrisment Abstract VoIP networks are in a major deployment phase and are becoming widely spread out due to their extended functionality and cost efficiency. Meanwhile, as VoIP traffic is transported over the Internet, it is the target of a range of attacks that can jeopardize its proper functionality. In this paper we describe our work in a VoIP specific security assessment framework. Such an assessment is automated with integrated discovery actions, data management and security attacks allowing to perform VoIP specific penetration tests. These tests are important because they permit to search and detect existing vulnerabilities or misconfigured devices and services. Our main contributions consist in an elaborated network information model capable to be used in VoIP assessment, an extensible assessment architecture and its implementation, as well as in a comprehensive framework for defining and composing VoIP specific attacks. I. INTRODUCTION VoIP network have recently become widely deployed. They provide several advantages which are not feasible in traditional telephony and in that way do become really appealing to service providers and regular end users. Although the current availability provided is still lower than in traditional telephony, we expect that in the short future the two services will become equal in terms of expected performance. Since no dedicated network is used for VoIP, the user is exposed to different attacks like Denial of Service (DoS), Eavesdropping, Hijacking, etc. Although VoIP technology is becoming more mature due to its enhanced functionality, many VoIP devices and services can present security threats if not properly configured. Our work is motivated by the lack of a comprehensive VoIP security solution integrating both the management plane and a security audit platform. In this paper we present our approach for a VoIP security assessment platform. For this purpose, our paper is structured as follows. In section II we give a background overview of a VoIP network and highlight the security threat model. We next present the problematics for achieving an automated security assessment platform. In section III we describe the architecture of our tool focusing on its VoIP assessment functionality. In section IV we describe the underlying Network Information Model capable to represent the required data. In section V we describe methods to design a penetration test and how the assessment can be automated. We discuss relationships with existing research works in section VI and conclude the paper in section VII. II. VOIP AND SECURITY A. VoIP Architecture and Deployment VoIP services are gaining popularity in the latest years because of their lower cost comparing to the traditional telephony, their facility to integrate other services like video conferences, instant messages and presence services. The major signalling protocols used in VoIP networks are the Session Initiation Protocol (SIP) [20] and H.323 [22]. The traditional telephony, known as the Public Switched Telephone Network (PSTN), is based on circuit-switched networks rather than the packet-switched oriented networks like the Internet. For every connection, the PSTN network reserves bandwidth independent of whether it is used or not. To perform a call from one end to the other, the Signalling System #7 protocol (SS7) [6] is used. This latter deals with call routing, call establishment and billing information. An important difference between VoIP networks and the PSTN is that in the VoIP networks the intelligence is located in the end devices rather than in the core switching equipment. However in VoIP services, since all the data is supposed to be sent over public networks such as the Internet (in practice some VoIP service providers do use dedicated trunks), important security issues must be addressed. In consequence, a range of attacks has to be considered; for instance: Denial of Service (DoS), Spam over IP Telephony (SPIT), eavesdropping, hijacking, etc. For a complete and comprehensive list of the threats refer to VoIPSA [7]. In a SIP architecture three main entities are identified: User Agents (UA): These are the end devices. They are only used to initialize a session. A regular UA can be a soft or hard phone (i.e. software or hardware endpoints) as well as a gateway that connects to other VoIP protocols or the PSTN. UA can be divided in two logical entities: User Agent Client (UAC), which is the one in charge of initiating the request, and the User Agent Server (UAS) which is the one responsible for generating the responses to the received requests. SIP Servers: These services are not mandatory to establish a session between two SIP UA devices but they provide a vast range of extra functionalities to make it easier. According to their functionality, SIP servers can be subclassified as follows. SIP Registrar Server: It is used from a UA in

3 order to register in a SIP domain address. The Server obtains the UA s IP address as well as the associated user and stores them for future use. SIP Proxy Server: It is used to forward requests on behalf of other SIP entities. It can not initiate a request by itself, but it can offer additional services like for instance security, authentication and authorization. SIP Redirect Server: It is used to redirect the caller to the searched UA. The difference with respect to the proxy is that the Redirect Server tells the entity the contact address (of the UA) rather than forward requests itself. The redirect server is also able to retrieve multiple locations in order to fork the call. SIP Location Sever: It is used to keep a database of the users containing their URLs, IP address, features and other preferences. It is used by the SIP Servers to allow an application level mobility. B. Assessment Functionality/Problems Network security assessment provides the necessary knowledge to the administrators in order to estimate the degree of security that their networks reach. Different concepts of assessment range from inventory management and up to almost full fledged penetration tests [16]. The main objective of an assessment is to find potential vulnerabilities, while a penetration test will also exploit them. There is a fine borderline between penetration testing and assessment. An assessment test is not supposed to exploit vulnerability with a proof of concept code, but in practice in order to avoid false positives, this borderline is crossed. The best approach to avoid intruders to get into the network is to have the latest software updates, restrict already known vulnerable services and the most important is to periodically perform comprehensive assessment tests. For these tests, network devices and hosted services must be automatically discovered by the assessment team and next the tests must be performed. This topic is also the main theme of our paper. Our work was challenged by providing an automated approach capable to be accurate in the discovery of the VoIP infrastructure, perform user driven attacks and allow dynamic extension with security plugins. The major challenges were posed by the numerous types of services that must be checked, the security constraints that exist, and additional firewalls and NAT devices that do increase the difficulty of an accurate fingerprinting and discovery phase. For illustration, consider that a service by itself can provide a high level of security, but when it is in dependency or relationship with others a security breach might occur due to their interaction. Information about the type of entities, the services on which they are dependent as well as the hosting device is the starting point to discover flaws in the system. For example, a simple SIP hard phone may depend on a DHCP service to obtain its IP address, on the DNS service to resolve other IP addresses, on a TFTP service to retrieve its configuration, and on a SIP Proxy and Registrar to make and receive calls. If one of those services is impersonated or compromised the overall functionality of the phone may become unsecured. To network administrators, many pieces of information of the topology and the configuration of devices in the network are known. That information can be helpful to make the assessment more realistic and accurate. As described in this article, such information can be inferred by advanced TCP/IP and application level fingerprinting tools. As a reminder, security assessment is less invasive than a real attack even though it has to be carefully planned in order not to disrupt services and compromise the whole network. III. VOIP ASSESSMENT ARCHITECTURE The three main challenges that an automated assessment must meet are: A. Discover as much as possible the topology, the services and the configuration running on the devices in the network, B. Store and provide all the information gathered in an easily usable manner, C. Launch different penetration tests, discovery and/or attack actions using the information acquired. It is worth noting that this approach is not meant to be worked out at once, but rather progressively, in order to obtain all the information related to an assessment. One should be able to provide pre-defined scripts and the possibility to generate new ones, capable to launch actions using the common knowledge base, on the fly. An architecture overview of the assessment tool is shown in Figure 1 where it is possible to differentiate the three tasks previously mentioned. A more detailed description of these concepts is given below. Note that it is not an exhaustive architecture design; many new capabilities such as plug-ins can be dynamically added to the corresponding levels of the tool. Fig. 1. Security Assessment Tool Architecture Overview

4 A. Discovery Actions The ways to discover entities in a network, their configuration and their hosted services can be classified as either passive or active fingerprinting techniques. A passive fingerprinting tool is not meant to be aggressive, it only listens to all the traffic on the network and processes all this information to recognize the actual state and possible fingerprints of the device. At the opposite side, through the injection of crafted/normal packets, the active scanner tries many techniques to discover the operating system, version, open ports, etc. running in the target device. The examination of those replies provides a vast field of information that can be useful for detecting different versions of the implementations of a stack for a protocol. In the following we describe each tool that is reused by our platform and finally we conclude on how they complement each other in the overall system. 1) P0F Monitoring: This module integrates the discovery actions done by P0f [24], a passive OS fingerprinting detection tool, into the Information Model described in section IV. As a passive fingerprinting tool, it listens to the packets transiting the network across the scope of the hosting device. It analyzes the different behaviours and peculiar protocol level specifics presented by the target implementation. Using techniques that interpret the incoming and outcoming connection as well as the refused and established ones it is able to detect possible fingerprints in the messages. Thus, it will lead to know the software or/and version running in the target devices. P0F provides a mechanism to add new fingerprint signatures which depends on the combination of different values of the packet. The signature entry looks like: wwww:ttt:d:ss:ooo...:qq:os:details as depicted in Table I: wwww ttt D ss OOO QQ OS details window size. It can be *, %nnn, Snn (multiple of MSS) or Tnn (multiple of MTU) are allowed. initial TTL don t fragment bit (0 - not set, 1 - set) overall SYN packet size options in the order they should appear in the packet. list of oddities or bugs of this particular stack. OS genre (Linux, Solaris or Windows) OS description ( on x86, etc) TABLE I SIGNATURE ENTRY FOR P0F Concerning this format, every packet captured by P0F will be compared with the list of signature entries and filtered to match the corresponding OS of the device in question. Since this is a passive tool, no packet is injected into the network and thus the tool can be hardly detected. As a consequence it depends on the packets sent by the hosts, and this will make it less accurate than other active tools. However, one important remark on P0F is that it can bypass a firewall, so it can be useful for detecting fingerprints through a connection allowed by the firewall, where active scanners will fail. 2) Active Scanner (NMAP): The Active Scanner module uses already existing software which allows the discovery of devices as well as their properties and running services. One such tool is NMAP [5] recognized as a very powerful tool for its remote OS detection and port scanning. Its discovery procedures are based on exact TCP/IP network stack fingerprinting. This is done by sending multiple packets to the target machine and examining specific fields in the answered TCP packets. Such packets belong to sample tests to discover supported options and vendor specific stack behaviour. Once those tests are answered, the received messages are analyzed and a fingerprint entry is created. A signature entry is composed of many categories and is made of a list in the format testname=value. A value as well as a whole test can be missed depending on many factors as, for example, that the test is not supported by the system, no reply was received, etc. The result of the test includes categories like SEQ (sequence analysis of the probe packets), OPS (TCP option received from the probes), WIN (windows sizes of the probes), etc. Once the fingerprint is created it s compared with an OS or service fingerprint signature in its database to identify the device. This type of discovery is very aggressive since most of the sent packets violate the specifications of given network protocols. The information obtained by such a tool includes the running operating system, the open/closed/filtered ports as well as the services hosted by them, the version of the software, etc. 3) SNMP Manager: A few VoIP devices support SNMP and if the latter is not properly secured, important information can be leaked out by just interrogating the SNMP agent on the device. This entity is capable to do basic SNMP brute forcing and retrieve management related data to be fed into the assessment module. 4) Cisco Discovery Protocol (CDP) Manager: The Cisco Discovery Protocol [1] is a proprietary protocol used by Cisco devices to advertise themselves and discover other devices in the network. The objective of this protocol is network diagnosis and it is used to identify and troubleshoot the network. The packets generated by the entities supporting this protocol are distributed through multicast and contain relevant information. In the case of SIP phones, a CDP packet exposes a range of data: the actual device model, the firmware version, the device ID (which represents the name of the configuration file if this one is retrieved from a TFTP server), the MAC and IP addresses, the VLAN Domain, and some other less important information. In the functional context, every device periodically sends CDP messages to the multicast address. Cisco entities which support this functionality store the information received to be used as needed. Tools like Yersinia [10] and IRPAS [3] are instantiated in this module because of their ability to monitoring CDP packets and launch different attacks on this field.

5 5) SIP Stack Fingerprinting: Similar to P0F and NMAP, which use fingerprint signatures to discover the operating system and running services, additional VoIP specific fingerprinting is possible. One approach in this area of Hong Yan et al. [14] who use passive and active scanner techniques to find out properties about the SIP entities. The above mentioned work provided a table describing vendor and device specific particularities in their respective SIP stacks. This allows to identify different implementations and to classify them accordingly. For the active discovery part, the idea is to send OPTION messages and to check the returned set of capabilities. Depending on the answer to malformed messages, the order in the fields and/or the order in the capabilities this method is able to identify some fingerprints. Although a limited scope of devices can be fingerprinted now, an updated database of fingerprint signatures might be a very accurate method. 6) SIP Monitoring Manager: This module is in charge of classifying all the information related to SIP negotiation. Using intercepted packets it detects the current state of a phone (David Lee et al. in [15] demonstrated it using the OSPF protocol, but the same approach can be achieved for the SIP protocol). From isolated packets carrying information like the out-bound proxy, the SIP entities from which the packet has to traverse, etc. can also be recovered. As a summary, P0F and NMap tools are found on the lower level of our discovery tools selection, where they identify different OS or applications which are running on specific devices. NMap, as an active scanner, provides more output, but it is easily detected by IDS. On the other hand, P0F is hard to discover and it is also able to detect signatures of devices behind a firewall or NATs. Meanwhile, the results offered by passive discovery are limited or incomplete and, overall, nothing sound can be passively determined, as O. Arkin describes in [9]. A third tool that allowed us to get even more information is the CDP monitor. This protocol is proprietary, but provides the most valuable source of device level information. Concerning the SIP protocol, a fingerprinting detector specific to this protocol, which complements the information gathered by the other tools, is included. Finally, the SIP monitoring manager is able to detect which is the current state of a SIP device. All the mentioned information from the different tools are merged together in order to provide a wider view of the current network. B. Gathered Information All the information obtained by the Discovery Actions previously mentioned, has to be represented in an organized structure which provides a simple interface to retrieve that data. This structure is defined in detail in section IV. C. Attack Actions Once some necessary information was obtained, different kind of scripts are launched. Those scripts basically exploit some known vulnerabilities to show the degree of exposure of the system. Also, other scripts retrieve new information that is added to the Information Model. In order to lanuch different attacks, the tool provides a repository of scripts for which the Information Model is used to represent the necessary data. Among the scripts, attacks like ARP spoofing, Spanning tree attack, DoS, etc. can be launched derived from tools like [3], [10]. Other SIP related scripts are SIP-Registrar user enumeration, eavesdropping and RTP playout, which are instantiated in the fuzzy packet [13]. The Attack/Vulnerability repository also allows storing new scripts by simple addition of attacks files. On the fly dynamic testing is possible by our Scripting Program environment which offers an interface to create, try and modify those scripts. One of such scripts is the SIP Messages Fuzzer. Security testers of protocol implementations have showed that malformed message (containing for instance not protocol compliant values) fields are able to crash or exploit some entities. In a well known case, only one out of nine SIP phones was able to pass the tests performed by the PROTOS Test-Suite: c07- sip [23]. One single test may contain one or more exceptional elements which can range from exceptional IPv4 addresses to malformed tags. The tests are very simple and mostly probe the robustness of the parser, but they show the weakness in most implementations. The assessment model provides a module to launch attacks in which messages are sent with a specified fuzziness. This module is instantiated from Fuzzy Packet [13] which was our first step through VoIP security assessment. Its architecture is based on an extensible plug-in system, where one main entity is in charge of delegating responsibilities. The functionality depends entirely on test scenarios and the associated plug-ins. In this way, new features can be easily added. A scenario is represented in XML and defines an active template as well as the binding with the responsible plug-ins. The scenario language expresses conditions that can be triggered in Python code. Fuzzy Packet also provides scenarios which show how an existing call can be eavesdropped or even hijacked. By sniffing and injecting packets over the network it is possible to analyze the messages and generate rogue data. Tools like the latter and Scapy [11] allow the user to read and inject packets, with all the desired custom options, in an extremely easy manner. The main difference between those two tools is that the first expresses the scenarios in a XML format, while the second is a low level packet injecting library. IV. INFORMATION MODEL The main objective of our Information Model is to represent, in a structured fashion, all the gathered information and to simplify access to it for any possible assessment. It represents the topology of a network, provided services, applications and any relevant information that can lead to find vulnerabilities. Standards like the Common Information Model (CIM) [2] describe a sound and commonly used way to design an Information Model. Concretely, it defines a conceptual schema,

6 where it specifies how elements are represented. It is based on UML from which it leverages the object oriented modelling. The gathered information is obtained in different ways and previous sections in this paper showed how discovery actions lead to such data. The design objectives must allow for an enhanced usability and capability to represent security related information as well as serve for future reuse. The main module contains a collection for every entity (i.e. devices, services or types of configuration) such that checking for one device in particular should be easily done. The navigation in the model should also allow starting from an entity and getting all the others pieces of information related to it. A simplified UML diagram of the model is shown in Figure 2. The main module in the Information Model is the Device class, which contains information of the discovered entities: OS, version, etc. It also includes the settings and the running configuration, which are not necessarily the same. The first is related to the meta-configuration, i.e. the values defined to configure the device, while the second are the values used by the device. To illustrate such a case, we define an IP address received from a DHCP-Server as a setting while the actual IP address of the device belongs to the running configuration. Each Device class is associated with a list of Service classes which represent the services hosted by it. The Service entities that are primarily concerned in this model are the ones related to SIP entities: DHCP Service: If present in a network, some entities depend on it to obtain their IP address. Also, extra information can be obtained, as for instance the routing gateway IP, the DNS server IP, a TFTP server IP, etc. If this service is compromised (i.e. fake IPs information is given by the service), the attacker can set up its own service and do malicious action as explained below. Routing Gateway: If this service is compromised, the attacker can act as a man in the middle and filter, modify or intercept the VoIP traffic. DNS Service: Entities rely on it to resolve IP addresses. Once the service is compromised, the attacker can resolve URL names to an IP address which is not the real one and for which he/she is providing a rogue service. TFTP Service: Many SIP phones request servers configuration information (i.e. files), that are used for configuration purposes, from TFTP. If this service is compromised, the devices relying on it will be under the control of the attacker. NAT Service: In a SIP environment it presents an important role because its existence will modify the payload transported at the application level. In order to fake information and to be as convincing as possible, this information has to be well known. Concerning the Information Model, the data can be acquired by two different interfaces which provide more suitability for different tests and attacks. Classical type: This is the classical syntax of Object Oriented programming languages to navigate through the attributes of classes. Filtering type: This technique shows an approach focused on the use of filters. Each entity in a class has a function associated to it with the same name as the attribute. This function takes as argument the parameter filter, which consists of a string that can be validated in each of the current entities. Only the entities satisfying the filter value will be returned in a collection instance. Such a collection provides the same methods and the same attributes declared by the items contained in it and its functionality is to map the methods and attributes to every one of its items. To illustrate the basic concepts of both syntaxes, consider an example where one desires to retrieve all the TFTP service instances from the devices in the network (i.e. the ones identified by the discovery tools), which contain the specific file SIP000B46D9CB86.cnf in their repository. Supposing that the Model variable is an instance of the Information Model, the two possible ways to satisfy that request are shown below. Classical type: t f t p l i s t = [ ] f o r device in Model. Device : f o r s e r v i c e i n d e v i c e. h o s t e d S e r v i c e s : i f i s i n s t a n c e ( s e r v i c e, TFTP S e r v i c e ) : i f SIP000B46D9CB86. c n f i n s e r v i c e. f i l e s : t f t p l i s t. append ( s e r v i c e ) r e t u r n t f t p l i s t Filtering type: Model. Device ( ). h o s t e d S e r v i c e s ( f i l t e r = i s i n s t a n c e ( s e l f, TFTP S e r v i c e ) and SIP000B46D9CB86. cnf i n s e l f. f i l e s ) It is worth noting that those two techniques can be freely interlaced. V. WRITING ASSESSMENT TESTS From the security point of view of a network administrator it is important to know the vulnerabilities of the managed system. Once these are detected, the administrator can take the necessary measures to make a tradeoff between the desired level of security and available flexibility to existing services. For this reason, an assessment test is helpful to detect any possible threats and it does so from an intruder s perspective. To design a penetration test in order to achieve a complete assessment, multiple conceptual solutions exist, among which the more important are Attack Trees, Attack Graphs, Petri s Network variants, etc. [12], [17], [19]. In the following section we describe the basic foundations of an Attack Tree design together with an instantiation related to an attack to SIP devices in a network. Our choice of the Attacks Trees design was made for the sake of simplicity, in order to illustrate possible attacks. Once the achievement of a possible attack explained, we proceed to show how it can be accomplished in our scripting environment.

7 Fig. 2. Information Model UML diagram

8 A. Attack Trees Attack trees [19] were designed to summarize possible actions or paths that must be taken in order to perform a penetration test. These trees represent each action as a node of a tree, where the root node represents the desired result actions. Each internal node is considered to be done when one or all of its children (depending if defined as a disjunction or conjunction respectively) are done, i.e. a bottom-up flow. The leaves define the actions that should be done. To differentiate a disjunction from a conjunction of actions in an internal node, the and string is attached to the bottom of the internal node if the action is a conjunction, and an empty string where there is a disjunction. Attack trees are considered to be limited in their functionality, but they provide a good representation of the possible penetration test. In the following an attack tree will be exemplified and we will explain how to perform it using the Information Model described in section IV and the Scripting Environment described in section V-C. B. VoIP Attack Tree Example This example is intended to show some possible ways to intercept the SIP negotiation of a phone, and to go even further and intercept a VoIP call. Figure 3 shows the attack tree example with extra boxes that are used for the ease of the presentation. As already mentioned, the main objective of this attack tree is Intercepting a Call. This example shows two possible main branches to achieve this goal. 1) One approach in which the end-devices will not have to be exposed would be to intercept all the out-going SIP transit traffic. This can be possible if, for example, the out-going proxy of the network is impersonated. The next example describes this attack that requires two actions to be done together: 1) Set up a fake SIP-Proxy in order to provide the needed services and 2) alter the default route to reach the original proxy via the fake one. There are several ways to achieve the latter action, like for instance ARP poisoning, Spanning Tree attacks, DNS poisoning. We would recommend in general to go for layer 2 attacks because these are difficult to detect by an Intrusion Detection System (IDS). 2) The second approach aims at changing the configuration of the SIP User Agent. It also shows some possible ways to accomplish it. a) The first goal is to gain remote access to the device (if possible), which is not an easy task, but which can be done if the software is not up to date, for example. The steps described next aim at discovering as much information as possible, and the use of tools like Nmap (as described in section III-A) help to discover the open ports on the device as well as running services on each of them (including the version and software). Once all that information is processed, databases of known vulnerabilities as US-CERT [8], can be searched for the respective software and version, and one can then check for known vulnerabilities and exploit them. b) Secondly, the penetration tester can alter the services which a SIP UA is relying on (e.g. DHCP server, TFTP server, etc.). Thus, those services can be compromised in order that every UA retrieving its configuration from the TFTP server gets rogue information, which allows the attacker to intercept all its SIP traffic. This step, shown in the Figure 3, is framed in the Box A. Each of its sub-boxes (i.e. 1, 2 and 3) regroups related activities. Note that Box 3 has to be done in conjunction with Box 1 or 2 and only afterwards, not as standalone. Box 1: This attack shows how to redirect all traffic to a rogue service. The first thing that the attacker has to do is to set up a TFTP server. Once done, all the traffic directed to the target TFTP has to be transferred to the machine running this rogue TFTP service. One possible action to achieve this redirection is to poison the network with ARP spoofed packet. This poisoning has to be done just to the target devices or in switches close to the service. Other techniques exist to accomplish the same, as, for example, Spanning Tree attacks, but are out of the scope of this article. Another solution to redirect the traffic is to directly set up the IP address of the fake TFTP server on the target device. This can be easily done if the device is getting its TFTP IP address from the DHCP service. If that is the case, the attacker can run such a service with this fake information and overwrite the genuine data. Box 2: This approach shows a way where the files to be retrieved from the TFTP server are overwritten. First the attacker has to know which files he wants to overwrite or create. The identification can be done by a passive scanner which just reads traffic on the network and interprets messages under the TFTP protocol. This is possible, since no encryption is usually used in this step. Additionally, some devices use a file name that is built using well know prefixes and postfix attached to the MAC address of the device. Once the files are known, the TFTP server can be tested to see if write access is granted on it and if possible, these files are modified with rogue configuration data. Box 3: Finally the objective of this sub-tree framed in the box is to identify which are the devices that retrieve their configuration from the TFTP servers and make them reload the new configuration. The identification can be done as

9 Fig. 3. Attack Tree Example explained in the Box 2 by a passive scanner which is listening to the TFTP protocol. Once the TFTP dependent devices are identified, information concerning their OS, software, version, etc. will help to find vulnerabilities that will force the device to retrieve the new configuration (e.g. reboot the device). It is worth to note that those attacks are very naive and if they accomplish the objective, it is very probable that they will be detected by an IDS. The contribution of this example is to show how automation of these tasks can be done. C. Scripting Environment This extension represents the active assessment part of the architecture. It provides an environment where pre-defined tests can be retrieved from a repository and where new ones can be generated on the fly, with the possibility of storing the procedure in the repository for later use. As the core implementation and the wrappers (i.e. wrappers for the external tools used) are coded in Python, all tests are specified as a Python script and the interactive environment is a derivation of the one from Python. 1) Python Language Embedding: Lately, tools like Scapy [11] (a Packet Manipulator Program) are gaining popularity, mostly because their usability and flexibility of programming. Our approach was designed with the same goals in mind, to include functionalities developed by these tools and complement them with information from application levels. Thus, the information included is the one described in the Information Model which will provide all the data obtained by the discovery actions. Meanwhile, the interactive environment corresponds to an extension of the Python interactive environment which provides functionalities such as a low level packets generator and pre-defined high level attacks. 2) Example script: Figure 3 in box 1, shows a sub-attack that, as explained previously, tries to redirect the real TFTP server IP to a rogue one. To alter the DHCP Service, first a rogue server must be

10 running in a vulnerable machine, which will try to distribute the IP of the fake TFTP server. To create an ARP spoofing attack the repository provides a predefined script, which may require some information like the target IP, the IP of the device that has to be impersonated and the MAC to redirect the packets. For such attacks, the application has to be launched inside the LAN. The script attack should proceed like shown below. ## R e t r i e v e s a l l t h e S e r v i c e i n s t a n c e s of t h e devi ## ## c e s which p r o v i d e s TFTP ## >>> TFTPServices = Model. S e r v i c e s ( f i l t e r = i s i n s t a n c e ( s e l f, TFTP Service ) ) ## S t a r t ARP s p o o f i n g f o r each S e r v e r ## >>> f o r t f t p s e r v e r i n TFTPServices :... t f t p I P = t f t p s e r v e r. Device. C o n f i g u r a t i o n. IP ## For t h e IP of t h e c l i e n t s of t h i s TFTP ##... f o r c l i e n t I P i n t f t p s e r v e r. TFTP Client ( ). IP : ## Launch ARP p o i s o n i n g a t t a c k ## >>> A t t a c k. ARP Poisoning ( t a r g e t I P = c l i e n t I P, i m p e r s o n a t e I P = t f t p I P, fakemac= fakemac ) The second alternative to alter a TFTP Service described as Box 2 (Figure 3), i.e. for discovery if writing access is granted, should proceed as follow. >>> from scapy import sr1, IP, UDP >>> from scapy. e x t r a s i m p o r t TFTP >>> g r a n t e d A c c e s s = [ ] ## R e t r i e v e s a l l t h e S e r v i c e i n s t a n c e s of t h e devi ## ## c e s which p r o v i d e s TFTP ## >>> TFTPServices = Model. S e r v i c e s ( f i l t e r = i s i n s t a n c e ( s e l f, TFTP Service ) ) ## Check w r i t i n g a c c e s s f o r each S e r v e r ## >>> f o r t f t p s e r v e r i n TFTPServices :... t f t p I P = t f t p s e r v e r. Device. C o n f i g u r a t i o n. IP... f o r f i l e i n t f t p s e r v e r. f i l e s : ## Use scapy t o i n j e c t TFTP p a c k e t s ##... p = s r 1 ( IP ( d s t = t f t p I P ) / UDP ( ) / TFPT ( d s t f i l e = f i l e, Opcode=WRITE REQUEST ) ) ## Check t h e answer f o r w r i t i n g a c c e s s ##... i f p [ 3 ]. Opcode!= ERROR CODE:... g r a n t e d A c c e s s. append ( ( t f t p I P, f i l e ) ) Finally, the third box shown in Figure 3, which should work in conjunction with the box 1 or 2, requires that the device requests the new rogue configuration from the TFTP server. Some SIP hard phones reload the dial plan by sending a NOTIFY message with the option event check-cfg and depending on the current configuration it is possible to make them reboot and reload it. >>> from scapy import sr1, IP, UDP >>> from scapy. e x t r a s i m p o r t SIP ## R e t r i e v e s a l l t h e SIP UA with t h e ## ## v e r s i o n which can be r e b o o t e d ## >>> sipuas = Model. S e r v i c e s ( f i l t e r = i s i n s t a n c e ( s e l f, SIP UA) and s e l f. s o f t w a r e = XXXX and s e l f. v e r s i o n <= X.XX ) ## Use scapy t o i n j e c t t h e NOTIFY p a c k e t s ## >>> f o r UA in sipuas :... UA IP = UA. Device. C o n f i g u r a t i o n. IP... p = s r 1 ( IP ( d s t =UA IP ) / UDP ( ) / SIP ( Method= NOTIFY, Event = check cfg ) ) VI. RELATED WORK Security assessment for VoIP is rather immature at the moment. Both a methodology as well as supporting tools are missing. Some recent books like, for instance, Practical VoIP Security [21] and VoIP Security [18] describe the functioning, best practices and recommendations for securing VoIP network and services without, however, providing guidelines on how to test them. In the research community, recent work on formal descriptions on how penetration tests can be accomplished ranges from modelling attack trees [19], Colored Petri Nets [12] to Attacks Graphs [17]. The major differences consist in their power of expressiveness as well as in their complexity. However, all of them do address in a formal way how to combine attack actions and show how a main goal can be achieved from a sequence of steps that will jointly form a global plan. In practice, Nessus [4] is a vulnerability scanner among the most widely used by network security teams. It is able to obtain from its scans or by interacting with NMAP [5], a large variety of essential functionalities that are highly relevant in an assessment test. It also provides a scripting language NASL (Nessus Attack Scripting Language) to add new functionalities, but in fact this language was meant to be secure rather than powerfull which limits the capability to write advanced tests. Meanwhile, Scapy [11] embeds itself in Python providing a real language environment lacking however a common Knowledge database to show the current topology and status of the network. Our approach took as starting point the provision of a common Knowledge database obtained from different applications and it is embedded in a programming language (Python) to freely define the steps to take in the assessment process. VII. CONCLUSION Our current research, performed in the MADYNES research group, addresses the secure management of VoIP networks. One of our main work direction is an integrated system able to retrieve as much as possible the information of the environment. Such data can be used by penetration tests and can show scenarios allowing to identify where the flaws of the system are located.

11 In this article we mainly focus on VoIP networks but we consider that this approach as well as the architecture model can be extended to several other types of networks. We show how accurate information from the network can be gathered, and next provide an Information Model capable to represent it in an appropriate way for assessment methods. Our paper has three main contributions: we propose a network information model capable to represent the information required to perform VoIP assessment, we describe a VoIP assessment architecture and its implementation and we build a framework based on attack tree modelling in order to represent and write VoIP attacks. Our future work consists in a smart VoIP infrastructure capable to perform automated intrusion prevention and active response. REFERENCES [1] CDP: Cisco Discovery Protocol. : Configuring the Cisco Discovery Protocol. [2] Common Information Model (CIM). [3] IRPAS: Internetwork Routing Protocol Attack Suite. [4] Nessus: Vulnerability Scanner. [5] Nmap: Network Mapper. [6] Signalling System #7 (SS7). [7] The Voice over IP Security Alliance (VOIPSA). [8] US-CERT Vulnerability Notes. [9] O. Arkin. Demystifying Passive Network Discovery and Monitoring Systems. June ;login: The USENIX Magazine. [10] D. Barroso and A. Andrs. Yersinia: Framework for layer 2 attacks. [11] Philippe Biondi. Scapy: Packet Manipulation Program. [12] O. Dahl and S. Wolthusen. Modeling and execution of complex attack scenarios using interval timed colored petri nets. In IWIA 06: Proceedings of the Fourth IEEE International Workshop on Information Assurance (IWIA 06), pages , Washington, DC, USA, IEEE Computer Society. [13] R. State H. Abdelnur, V. Cridlig and O. Festor. VoIP Security Assessment: Methods and Tools. In The 1st IEEE workshop on VoIP Management and Security, April [14] H. Zhang Z. Shae H. Yan, K. Sripanidkulchai and D. Saha. Incorporating Active Fingerprinting into SPIT Prevention Systems. Third Annual VoIP Security Workshop (VSW 06), July [15] D. Lee, D. Chen, R. Hao, R. Miller, J. Wu, and X. Yin. A formal approach for passive testing of protocol data portions. In ICNP 02: Proceedings of the 10th IEEE International Conference on Network Protocols, pages IEEE Computer Society, [16] C. McNab. Network Security Assessment. O Reilly; 1 edition, March 2004). [17] S. Jha R. Lippmann O. Sheyner, J. Haines and J. Wing. Automated generation and analysis of attack graphs. In SP 02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 273, Washington, DC, USA, IEEE Computer Society. [18] J. Ransome and J. Rittinghouse. VoIP Security. Elsevier, [19] B. Schneier. Attack Trees, Modeling Security Threats,. Dr. Dobb s Journal, December [20] H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. SIP: Session Initiation Protocol. June [21] A. Zmolek A. Rosela M. Cross L. Chaffin B. Baskin T. Porter, J. Kanclirz and C. Shim. Practical VoIP Security. Andrew Williams, [22] International Telecommunications Union. H.323 Standards. [23] Oulu University. PROTOS Test-Suite: c07-sip [24] Michal Zalewski. P0f: a versatile passive OS fingerprinting tool.

Assessing the security of VoIP Services

Assessing the security of VoIP Services Assessing the security of VoIP Services H. Abdelnur, R. State, I. Chrisment, C. Popi LORIA - INRIA Lorraine 615, rue du jardin botanique 54602 Villers-les-Nancy, France {abdelnur state chrisment popi}@loria.fr

More information

The Trivial Cisco IP Phones Compromise

The Trivial Cisco IP Phones Compromise Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002

More information

Managing Risks at Runtime in VoIP Networks and Services

Managing Risks at Runtime in VoIP Networks and Services Managing Risks at Runtime in VoIP Networks and Services Oussema Dabbebi, Remi Badonnel, Olivier Festor To cite this version: Oussema Dabbebi, Remi Badonnel, Olivier Festor. Managing Risks at Runtime in

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Voice Over IP (VoIP) Denial of Service (DoS)

Voice Over IP (VoIP) Denial of Service (DoS) Introduction Voice Over IP (VoIP) Denial of Service (DoS) By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Denial of Service (DoS) is an issue for any IP network-based

More information

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Cconducted at the Cisco facility and Miercom lab. Specific areas examined Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005 Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in

More information

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting

https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests

More information

PENTEST. Pentest Services. VoIP & Web. www.novacybersecurity.com

PENTEST. Pentest Services. VoIP & Web. www.novacybersecurity.com PENTEST VoIP & Web Pentest Services VoIP & WEB Penetration Testing The Experinced and National VoIP/Unified Communications R&D organization, NETAŞ NOVA Pentest Services test the applications, infrastructure

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

Tools for Attacking Layer 2 Network Infrastructure

Tools for Attacking Layer 2 Network Infrastructure Tools for Attacking Layer 2 Network Infrastructure Kai-Hau Yeung, Dereck Fung, and Kin-Yeung Wong Abstract Data Link layer is considered as the weakest link in a secured network. If an initial attack comes

More information

Building Secure Network Infrastructure For LANs

Building Secure Network Infrastructure For LANs Building Secure Network Infrastructure For LANs Yeung, K., Hau; and Leung, T., Chuen Abstract This paper discusses the building of secure network infrastructure for local area networks. It first gives

More information

VOICE OVER IP SECURITY

VOICE OVER IP SECURITY VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Security issues in Voice over IP: A Review

Security issues in Voice over IP: A Review www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 3 Issue 2 February, 2014 Page No. 3879-3883 Security issues in Voice over IP: A Review Rajni a, Preeti a, Ritu

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Global Identity Management of Virtual Machines Based on Remote Secure Elements

Global Identity Management of Virtual Machines Based on Remote Secure Elements Global Identity Management of Virtual Machines Based on Remote Secure Elements Hassane Aissaoui, P. Urien, Guy Pujolle To cite this version: Hassane Aissaoui, P. Urien, Guy Pujolle. Global Identity Management

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

Mobility management and vertical handover decision making in heterogeneous wireless networks

Mobility management and vertical handover decision making in heterogeneous wireless networks Mobility management and vertical handover decision making in heterogeneous wireless networks Mariem Zekri To cite this version: Mariem Zekri. Mobility management and vertical handover decision making in

More information

Basic Vulnerability Issues for SIP Security

Basic Vulnerability Issues for SIP Security Introduction Basic Vulnerability Issues for SIP Security By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com The Session Initiation Protocol (SIP) is the future

More information

Security Considerations in IP Telephony Network Configuration

Security Considerations in IP Telephony Network Configuration Security Considerations in IP Telephony Network Configuration Abstract This Technical Report deals with fundamental security settings in networks to provide secure VoIP services. Example configurations

More information

Threats to be considered (1) ERSTE GROUP

Threats to be considered (1) ERSTE GROUP VoIP-Implementation Lessons Learned Philipp Schaumann Erste Group Bank AG Group IT-Security philipp.schaumann@erstegroup.com http://sicherheitskultur.at/ Seite 1 Threats to be considered (1) Eavesdropping

More information

An outline of the security threats that face SIP based VoIP and other real-time applications

An outline of the security threats that face SIP based VoIP and other real-time applications A Taxonomy of VoIP Security Threats An outline of the security threats that face SIP based VoIP and other real-time applications Peter Cox CTO Borderware Technologies Inc VoIP Security Threats VoIP Applications

More information

A Call Conference Room Interception Attack and its Detection

A Call Conference Room Interception Attack and its Detection A Call Conference Room Interception Attack and its Detection Nikos Vrakas 1, Dimitris Geneiatakis 2 and Costas Lambrinoudakis 1 1 Department of Digital Systems, University of Piraeus 150 Androutsou St,

More information

Avaya ExpertNet Lite Assessment Tool

Avaya ExpertNet Lite Assessment Tool IP Telephony Contact Centers Mobility Services WHITE PAPER Avaya ExpertNet Lite Assessment Tool April 2005 avaya.com Table of Contents Overview... 1 Network Impact... 2 Network Paths... 2 Path Generation...

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems VOIP Components Common Threats How Threats are Used Future Trends Provides basic network connectivity and transport

More information

Enumerating and Breaking VoIP

Enumerating and Breaking VoIP Enumerating and Breaking VoIP Introduction Voice over Internet Protocol (VoIP) has seen rapid implementation over the past few years. Most of the organizations which have implemented VoIP are either unaware

More information

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4)

Using Nessus to Detect Wireless Access Points. March 6, 2015 (Revision 4) Using Nessus to Detect Wireless Access Points March 6, 2015 (Revision 4) Table of Contents Introduction... 3 Why Detect Wireless Access Points?... 3 Wireless Scanning for WAPs... 4 Detecting WAPs using

More information

Threat Mitigation for VoIP

Threat Mitigation for VoIP Threat Mitigation for VoIP Bogdan Materna, VP Engineering and CTO VoIPshield Systems Third Annual VoIP Security Workshop June 2, 2006 Overview Basics VoIP Security Impact Examples of real vulnerabilities

More information

ibalance-abf: a Smartphone-Based Audio-Biofeedback Balance System

ibalance-abf: a Smartphone-Based Audio-Biofeedback Balance System ibalance-abf: a Smartphone-Based Audio-Biofeedback Balance System Céline Franco, Anthony Fleury, Pierre-Yves Guméry, Bruno Diot, Jacques Demongeot, Nicolas Vuillerme To cite this version: Céline Franco,

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Voice over IP (VoIP) Vulnerabilities

Voice over IP (VoIP) Vulnerabilities Voice over IP (VoIP) Vulnerabilities The Technical Presentation Diane Davidowicz NOAA Computer Incident Response Team N-CIRT diane.davidowicz@noaa.gov "Security problems in state of the art IP-Telephony

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

Detecting rogue systems

Detecting rogue systems Product Guide Revision A McAfee Rogue System Detection 4.7.1 For use with epolicy Orchestrator 4.6.3-5.0.0 Software Detecting rogue systems Unprotected systems, referred to as rogue systems, are often

More information

Best Practices for Securing IP Telephony

Best Practices for Securing IP Telephony Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram

More information

IEEE 802.1Q. Voice VLAN

IEEE 802.1Q. Voice VLAN 1 VLAN (Virtual Local Area Network) is used to logically divide a physical network into several broadcast domains. VLAN membership can be configured through software instead of physically relocating devices

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

SIP Security Controllers. Product Overview

SIP Security Controllers. Product Overview SIP Security Controllers Product Overview Document Version: V1.1 Date: October 2008 1. Introduction UM Labs have developed a range of perimeter security gateways for VoIP and other applications running

More information

Predictability of Windows DNS resolver. ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com

Predictability of Windows DNS resolver. ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com Predictability of Windows DNS resolver ing. Roberto Larcher - http://webteca.altervista.org - robertolarcher@hotmail.com rev. 1 - March 11, 2004 Abstract The main DNS security issues have very often focused

More information

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance

More information

A Link Layer Discovery Protocol Fuzzer

A Link Layer Discovery Protocol Fuzzer The University of Texas at Austin, Department of Computer Sciences, Technical Report TR-07-24 A Link Layer Discovery Protocol Fuzzer Jeremy Hollander Department of Computer Sciences The University of Texas

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

SS7 & LTE Stack Attack

SS7 & LTE Stack Attack SS7 & LTE Stack Attack Ankit Gupta Black Hat USA 2013 akg0x11@gmail.com Introduction With the evolution of IP network, Telecom Industries are using it as their core mode of communication for their network

More information

SIP Proxy. SIP Proxy. Bicom SYSTEMS. SIP Proxy... Advanced Simplicity

SIP Proxy. SIP Proxy. Bicom SYSTEMS. SIP Proxy... Advanced Simplicity Session border controller solution offering high performance, security and SIP compliance connectivity. 1 DIAGRAM : Registration SIP Client registration for all users (, Business, Hosted PBXware and Wholesale)

More information

Emergency Services Interconnection Forum (ESIF) Emergency Services Messaging Interface Task Force ( Task Force 34 )

Emergency Services Interconnection Forum (ESIF) Emergency Services Messaging Interface Task Force ( Task Force 34 ) Emergency Services Interconnection Forum (ESIF) Emergency Services Messaging Interface Task Force ( Task Force 34 ) Contribution Title: Implementing ESMI with SIP and ESTP Contribution Number: Submission

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline Overview The following note covers information published in the PCI-DSS Wireless Guideline in July of 2009 by the PCI Wireless Special Interest Group Implementation Team and addresses version 1.2 of the

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

A Study on the Security aspects of Network System Using Penetration Testing

A Study on the Security aspects of Network System Using Penetration Testing A Study on the Security aspects of Network System Using Penetration Testing 1 Shwetabh Suman, 2 Vedant Rastogi 1,2 Institute of Engineering and Technology, Alwar, India 1 shwetabhsuman13@gmail.com 2 vedantnoki@gmail.com

More information

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper Details: Introduction When computers in a private network connect to the Internet, they physically

More information

Firewall Builder Architecture Overview

Firewall Builder Architecture Overview Firewall Builder Architecture Overview Vadim Zaliva Vadim Kurland Abstract This document gives brief, high level overview of existing Firewall Builder architecture.

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

LifeSize Transit Deployment Guide June 2011

LifeSize Transit Deployment Guide June 2011 LifeSize Transit Deployment Guide June 2011 LifeSize Tranist Server LifeSize Transit Client LifeSize Transit Deployment Guide 2 Firewall and NAT Traversal with LifeSize Transit Firewalls and Network Address

More information

Faut-il des cyberarchivistes, et quel doit être leur profil professionnel?

Faut-il des cyberarchivistes, et quel doit être leur profil professionnel? Faut-il des cyberarchivistes, et quel doit être leur profil professionnel? Jean-Daniel Zeller To cite this version: Jean-Daniel Zeller. Faut-il des cyberarchivistes, et quel doit être leur profil professionnel?.

More information

Host Discovery with nmap

Host Discovery with nmap Host Discovery with nmap By: Mark Wolfgang moonpie@moonpie.org November 2002 Table of Contents Host Discovery with nmap... 1 1. Introduction... 3 1.1 What is Host Discovery?... 4 2. Exploring nmap s Default

More information

The Nexpose Expert System

The Nexpose Expert System Technical Paper The Nexpose Expert System Using an Expert System for Deeper Vulnerability Scanning Executive Summary This paper explains how Rapid7 Nexpose uses an expert system to achieve better results

More information

Additional mechanisms for rewriting on-the-fly SPARQL queries proxy

Additional mechanisms for rewriting on-the-fly SPARQL queries proxy Additional mechanisms for rewriting on-the-fly SPARQL queries proxy Arthur Vaisse-Lesteven, Bruno Grilhères To cite this version: Arthur Vaisse-Lesteven, Bruno Grilhères. Additional mechanisms for rewriting

More information

On the Deficiencies of Active Network Discovery Systems

On the Deficiencies of Active Network Discovery Systems On the Deficiencies of Active Network Discovery Systems Ofir Arkin Chief Technology Officer Insightix Copyright 2012 - All Rights Reserved. This material is proprietary of Insightix. Any unauthorized

More information

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8 Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8 SR140531D 19 August 2014 Miercom www.miercom.com Overview Unify Inc. (formerly Siemens Enterprise Communications)

More information

VoIP Security Threats and Vulnerabilities

VoIP Security Threats and Vulnerabilities Abstract VoIP Security Threats and Vulnerabilities S.M.A.Rizvi and P.S.Dowland Network Research Group, University of Plymouth, Plymouth, UK e-mail: info@network-research-group.org This paper presents the

More information

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation

Protect Yourself Against VoIP Hacking. Mark D. Collier Chief Technology Officer SecureLogix Corporation Protect Yourself Against VoIP Hacking Mark D. Collier Chief Technology Officer SecureLogix Corporation What Will Be Covered How to assess the security of your IPT network: In house/external and ground

More information

Challenges and opportunities for Open Source solutions

Challenges and opportunities for Open Source solutions GDS20910 39HA83090K2 D3 S20910 328MGD 7 W510200RQ1 UT 10 T28GHY620 JH7 BE4ET276 90K2 D39HA83 0K2 D39HA830 8JD6200NS12 RQ1 UTW510200 H7 BE4ET2763J 8HGDOI0912 M1 Y620110 T28GH UTW510200 83090K2 GDS20910

More information

Guidance Regarding Skype and Other P2P VoIP Solutions

Guidance Regarding Skype and Other P2P VoIP Solutions Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1 Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Detection of illegal gateways in protected networks

Detection of illegal gateways in protected networks Detection of illegal gateways in protected networks Risto Vaarandi and Kārlis Podiņš Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia firstname.lastname@ccdcoe.org 1. Introduction In this

More information

Chapter 2 PSTN and VoIP Services Context

Chapter 2 PSTN and VoIP Services Context Chapter 2 PSTN and VoIP Services Context 2.1 SS7 and PSTN Services Context 2.1.1 PSTN Architecture During the 1990s, the telecommunication industries provided various PSTN services to the subscribers using

More information

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R HughesNet Managed Broadband Network Services include a high level of end-toend security utilizing a robust architecture designed by

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Design of a SIP Outbound Edge Proxy (EPSIP)

Design of a SIP Outbound Edge Proxy (EPSIP) Design of a SIP Outbound Edge Proxy (EPSIP) Sergio Lembo Dept. of Communications and Networking Helsinki University of Technology (TKK) P.O. Box 3000, FI-02015 TKK, Finland Jani Heikkinen, Sasu Tarkoma

More information

Bypassing Network Access Control Systems

Bypassing Network Access Control Systems Bypassing Network Access Control Systems Ofir Arkin Chief Technology Officer Insightix Ltd. September 2006 United States International 945 Concord Street 13 Hasadna Street Framingham, MA 01701 Ra'anana,

More information

VoIP Security Management

VoIP Security Management VoIP Security Management Humberto Abdelnur, Vincent Cridlig, Jérome Bourdellon, Radu State, Olivier Festor LORIA-INRIA Lorraine, France {abdelnur, cridligv, bourdellon, state, festor}@loria.fr http://madynes.loria.fr

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Executive Summary. AUGUST 2002 Secure Use of VLANs: An @stake Security Assessment

Executive Summary. AUGUST 2002 Secure Use of VLANs: An @stake Security Assessment R e s e a r c h R e p o r t @stake consultants David Pollino and Mike Schiffman, CISSP, conducted the testing and analysis. Mr. Pollino is the Director of the Wireless Center of Excellence at @stake. He

More information

Configuring and Managing Token Ring Switches Using Cisco s Network Management Products

Configuring and Managing Token Ring Switches Using Cisco s Network Management Products Configuring and Managing Token Ring Switches Using Cisco s Network Management Products CHAPTER 12 Cisco offers several network management applications that you can use to manage your Catalyst Token Ring

More information

Deployment of Snort IDS in SIP based VoIP environments

Deployment of Snort IDS in SIP based VoIP environments Deployment of Snort IDS in SIP based VoIP environments Jiří Markl, Jaroslav Dočkal Jaroslav.Dockal@unob.cz K-209 Univerzita obrany Kounicova 65, 612 00 Brno Czech Republic Abstract This paper describes

More information

Release the full potential of your Cisco Call Manager with Ingate Systems

Release the full potential of your Cisco Call Manager with Ingate Systems Release the full potential of your Cisco Call Manager with Ingate Systems -Save cost with flexible connection to Service Providers. -Save mobile costs, give VoIP mobility to your workforce. -Setup an effective

More information

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol

More information

Need for Signaling and Call Control

Need for Signaling and Call Control Need for Signaling and Call Control VoIP Signaling In a traditional voice network, call establishment, progress, and termination are managed by interpreting and propagating signals. Transporting voice

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Wireless Security Overview Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Ground Setting Three Basics Availability Authenticity Confidentiality Challenge

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) Author: Avinash Singh Avinash Singh is a Technical Evangelist currently worksing at Appin Technology Lab, Noida. Educational Qualification: B.Tech from Punjab Technical

More information

Network Discovery Protocol LLDP and LLDP- MED

Network Discovery Protocol LLDP and LLDP- MED Network LLDP and LLDP- MED Prof. Vahida Z. Attar College of Engineering, Pune Wellesely Road, Shivajinagar, Pune-411 005. Maharashtra, INDIA Piyush chandwadkar College of Engineering, Pune Wellesely Road,

More information

040020305-Penetration Testing 2014

040020305-Penetration Testing 2014 Comprehensive Questions/Practical Based :- 040020305-Penetration Testing 2014 1. Demonstrate the installation of BackTrack using Live DVD. Also list all the steps. 2. Demonstrate the installation of BackTrack

More information

Network Discovery Protocol LLDP and LLDP- MED

Network Discovery Protocol LLDP and LLDP- MED Network LLDP and LLDP- MED Prof. Vahida Z. Attar College of Engineering, Pune Wellesely Road, Shivajinagar, Pune-411 005. Maharashtra, INDIA Piyush chandwadkar College of Engineering, Pune Wellesely Road,

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

Conducting an IP Telephony Security Assessment

Conducting an IP Telephony Security Assessment Conducting an IP Telephony Security Assessment Mark D. Collier Chief Technology Officer mark.collier@securelogix.com www.securelogix.com Presentation Outline Ground rules and scope Discovery Security policy

More information